majic-ansible-roles Changeset

Changeset - 1bb9f7ac1072

Parent rev.

Child rev.

[Not reviewed]

0 4 0

Branko Majic (branko) - 7 years ago 2017-08-02 21:07:40
branko@majic.rs

MAR-112: Added alternate SMTP port:

- Updated mail_server role to deploy firewall rules that include redirection
from TCP port 27 to TCP port 25.
- Updated documentation to include references to the additional port.
- Updated tests to cover the new functionality.

4 files changed with 36 insertions and 8 deletions:

docs/rolereference.rst

docs/usage.rst

roles/mail_server/files/ferm_mail.conf

roles/mail_server/tests/test_client2.py

0 comments (0 inline, 0 general)

docs/rolereference.rst

➞

Show inline comments

@@ @@ -960,7 +960,8 @@ The role implements the following: @@
 * Sets-up the necessary directories and files under Postfix chroot.
 * Configures firewall to allow incoming connections to the mail server. This
   includes set-up of redirection from TCP port 26 to TCP port 587 (alternate
   SMTP submission port to work around common network blocks).
   submission port), as well as redirection from TCP port 27 to TCP port 25
   (alternate SMTP port), useful as workaround for ISP/hotel blocks.
 Deployed services are configured as follows:

docs/usage.rst

➞

Show inline comments

@@ @@ -828,9 +828,14 @@ role. @@
   Of course, free feel to also test out the mail server using any mail client of
   your choice. When doing so, use port 587 for SMTP. Port 25 is reserved for
   unauthenticated server-to-server mail deliveries. TLS has also been hardened
   on port 587 to allow only TLSv1.2 and PFS ciphers (you can override TLS
   versions/ciphers via role configuration).
   unauthenticated server-to-server mail deliveries.
   If you face issues with ISPs or hotels blocking the two ports listed above,
   you can also use alternative ports 26 (redirected to port 587) and 27
   (redirected to port 25).
   TLS has also been hardened on port 587 to allow only TLSv1.2 and PFS ciphers
   (you can override TLS versions/ciphers via role configuration).
 Setting-up mail relaying from web and backup servers

roles/mail_server/files/ferm_mail.conf

➞

Show inline comments

@@ @@ -16,9 +16,12 @@ domain (ip ip6) { @@
     table nat {
         chain PREROUTING {
             # Set-up redirection for alternate SMTP port (to avoid ISP/hotel blocks
             # etc).
             # Set-up redirection for alternate SMTP submission port (to avoid
             # ISP/hotel blocks etc).
             proto tcp dport 26 REDIRECT to-ports 587;
             # Set-up redirection for alternate SMTP port (to avoid ISP blocks).
             proto tcp dport 27 REDIRECT to-ports 25;
+        }
+    }
+}
@@ \ No newline at end of file @@

roles/mail_server/tests/test_client2.py

➞

Show inline comments

@@ @@ -22,6 +22,14 @@ def test_open_relay(Command): @@
     assert send.rc == no_recipients_accepted
     assert "Relay access denied" in send.stdout
     send = Command('swaks --port 27 --suppress-data --to root@client1 --server parameters-mandatory')
     assert send.rc == no_recipients_accepted
     assert "Relay access denied" in send.stdout
     send = Command('swaks --port 27 --suppress-data --to root@client1 --server parameters-optional')
     assert send.rc == no_recipients_accepted
     assert "Relay access denied" in send.stdout
 def test_mail_delivery(Command):
     """
@@ @@ -243,7 +251,7 @@ def test_connectivity(Command, Sudo): @@
         for server in ["parameters-mandatory",
                        "parameters-optional"]:
             for port in [25, 26, 587, 143, 993, 4190]:
+            for port in [25, 26, 27, 587, 143, 993, 4190]:
                 ping = Command('hping3 -S -p %d -c 1 %s' % (port, server))
                 assert ping.rc == 0
@@ @@ -251,9 +259,20 @@ def test_connectivity(Command, Sudo): @@
 def test_port_forwarding(Command, Sudo):
     """
     Tests if port forwarding is set-up correctly for submission port.
     Tests if port forwarding is set-up correctly for additional SMTP and
     submission ports.
     """
     # Regular SMTP.
     send = Command('swaks -tls --port 27 --to john.doe@domain1 --server parameters-mandatory')
     assert send.rc == 0
     assert "Ok: queued as" in send.stdout
     send = Command('swaks -tls --port 27 --to john.doe@domain1 --server parameters-optional')
     assert send.rc == 0
     assert "Ok: queued as" in send.stdout
     # Submission port.
     send = Command('swaks -tls --port 26 --auth-user john.doe@domain1 --auth-password johnpassword --to root@client1 --server parameters-mandatory')
     assert send.rc == 0
     assert "Ok: queued as" in send.stdout

0 comments (0 inline, 0 general)